You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

A new ransomware variant has been discovered in-the-wild. Kafeine posted about it after accidentally discovering it roughly 11 hours ago; a link to Kafeine's blog post regarding the CryptoFortress ransomware can be found below:

While originally believed to be extremely similar to the TorrentLocker ransomware variant, further analysis has determined that it likely has used source code for the ransom notes and other web pages from TorrentLocker, but is actually a unique, new variant of ransomware altogether.

TorrentLocker Ransom Note

CryptoFortress Ransom Note

TorrentLocker Payment Page

CryptoFortress Payment Page

Updated Information

Tor Gateways Used:

connect2tor.org

door2tor.org

onion.cab

onion.city

tor2web.org

Tor URLs Used:

<systemIdentifier>.onion

Referenced URLs:

torproject.org

deepdotweb.com/how-to-access-onion-sites/

Initial executable launches a bat file via Command Prompt:

cmd.exe cmd /c C:\<random>.bat

Creates the same mutex on all reviewed devices infected:

\Sessions\1\BaseNamedObjects\Catawba!

Some Evasion Functionality:

Checks for kernel debuggers

Checks the free space of the local hard drive

Checks if a debugger is running

Disables application error messages (SetErrorMode)

Extensive use of GetProcAddress

Process Tree:

<initial executable>.exe -> cmd.exe -> vssadmin.exe

VSSVC.exe

svchost.exe

Key Information:

CryptoFortress utilizes a 2048 bit RSA-AES key for encryption; this key is generated on the client-side and therefore is briefly stored on the infected device itself. The ransomware takes the 2048 bit RSA key and XORs it with an embededd key, and appends 8 bytes of the key to the end of eaach file. It's unknown why the malware author implemented the functionality of appending 8 bytes of the RSA key to the end of affected files.

Observed Network Behavior:

CryptoFortress has been observed to attempt to make network connections, but often fails at initiating external connections. It has also been found to exhibit a large quantity of malicious SMB traffic.

Functionality:

CryptoFortress has been found to enumerate network shares, all logical drives, and also deletes Volume Shadow Copies (VSCs) to prevent the easy recovery of affected files.

Mechanism of Action

Launching of Payload File (PE)

Upon launching CryptoFortress' initial payload (PE) file, it will create a .bat file and write the following code to it:

vssadmin delete shadows /all /quiet del /f /q %0

It will then enumerate the file system for supported data files. When a supported data file is found, CryptoFortress will create a copy of the file as the original file name and extension with .frtrss appended to the end. It will then encrypt the data within this file and restore this file to the original name and extension. I have not observed any explicit deletion of the original file at this time, but it likely securely deletes originals; if not, the renaming -> encryption -> restoration of the file probably occurs fast enough (<15s) to overwrite the MFT record of the original file.

Timestomping activity (the spoofing of file timestamps [$STANDARD_INFORMATION {$SIA} attribute]) has been observed, but does not appear to occur on every single file affected or directory encountered.

It has been observed to monitor the following registry key:

HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

It has been found to create the same mutex on each infected device:

\Sessions\1\BaseNamedObjects\Catawba!

A cmd.exe (command-line terminal) process is launcehd by the initial executable, and is launched to execute the created bat file. The command-line arguments passed to cmd.exe are:

cmd /c C:\<random>.bat

Once the bat file is launched, it will delete itself, and then query the following directories with the respective masks to ensure that the bat file has been deleted, and to find the vssadmin.exe utility:

When discovered, the VSSVC.exe process is launched as a result of vssadmin.exe's launch. As displayed previously in the bat file code, vssadmin.exe is called with the following command-line arguments:

vssadmin delete shadows /all /quiet

This command will delete all Volume Shadow Copies (VSCs), preventing the easy restoration of files; it does so in a fashion that is transparent to the user.

When a file is encrypted within an enumerated directory, CryptoFortress will drop a ransom note in that directory, named:

READ IF YOU WANT YOUR FILES BACK.html

The interesting thing about CryptoFortress is that it doesn't appear to keep records of all directories that have been enumerated; meaning, that it will drop as many ransom notes in a directory as there are supported data files that it has encrypted. All ransom notes are named the same, and I have observed a full directory of 30 data files that have been encrypted to contain an additional 30 files of ransom notes.

Additional Interesting Activity Observed on Windows XP Devices:

On Windows XP, some interesting activity has been observed, including the creation and execution of two (2) bat files as opposed to one (1) as observed on Windows 7. An additional command-line utility was executed on an analyzed Windows XP device:

chcp.com 1251

What this does is it changes the language of the command-line terminal, and the identifier 1251 changes the language to Russian.

Additionally, local sockets were found to have been bound and connected on an analyzed Windows XP device:

As we commonly see with these ransomware cases, a huge thanks to Nathanfor quickly reverse-engineering the binary, and allowing us to gather further information related to the key information, and exposing the inner workings of this new ransomware variant. More updates to come.

BC AdBot (Login to Remove)

Malware spreaders are ready to anything to make money with these Cryptowares now, so sad. Will monitor this thread to see your updates and analysis. Let's see what we'll be facing this time. Was it tested against CryptoPrevent and HitmanPro.Alert yet?

Malware spreaders are ready to anything to make money with these Cryptowares now, so sad. Will monitor this thread to see your updates and analysis. Let's see what we'll be facing this time. Was it tested against CryptoPrevent and HitmanPro.Alert yet?

Not sure, but I doubt it. Seems to be brand new; Kafeine believes it is equivalent to TorrentLocker with just a different name, but I am performing static and dynamic analysis right now to confirm the additional information. Will post information when I gather it all.

Seems off. The only equivalent I see to torrentlocker is things any script kiddie could get (html source from site, ransom note etc.) it has a different tor site even for English, which remains static on all their variants, different ransom note name, and the biggest is no network traffic, as the real torrentlocker sends a ton. This could be someone trying to profit their bleepty ransomware off a successful one, which happens alot now. I'll get the dropper and reverse it soon.

Seems off. The only equivalent I see to torrentlocker is things any script kiddie could get (html source from site, ransom note etc.) it has a different tor site even for English, which remains static on all their variants, different ransom note name, and the biggest is no network traffic, as the real torrentlocker sends a ton. This could be someone trying to profit their bleepty ransomware off a successful one, which happens alot now. I'll get the dropper and reverse it soon.

Has anyone really confirmed RSA use in olly or Ida?

Again it could be TL, but always worth checking.

Still working on it, haven't gotten that far yet but I agree with you. That information was initial information from a security vendor, but the more I look at this one the less I agree with what they've stated. The language thing is interesting too, as it does launch CHCP.COM perhaps to identify the victim's country code / language?

For now -- retracting previous statement that it definitely exhibits network communication... not seeing any on this run of Win 7... bing.com and microsoft.com likely just the default page of IE when it launches.